Am 14.11.2015 um 20:12 schrieb Jo Rhett:
Got a sudden surge in reported spam. Turns out every bit of it is coming from Colo Crossing IP blocks. No abuse web interfaces or open relays either, this is pure source spam with the same spams arriving from multiple IP blocks within Colo Crossing. Turns out mail review shows we’ve last seen HAM from their IP blocks over 3 years ago. Seems like they’ve turned a corner. 192.227.128.0/17 198.23.128.0/17 172.245.0.0/16
[root@mail-gw:~]$ ptr-check.sh 192-3-13-90-host.colocrossing.comREJECT Generic DNS-Reverse-Lookup (PTR-Rule: 446) see http://www.emailtalk.org/ptr.aspx or configure http://en.wikipedia.org/wiki/Sender_Policy_Framework
PTR checks are backed by DNWL and SPF-Pass long before the spamass-milter, such PTRs are hardly legit mailservers and if they are likely known by one ore more DNSWL's
"check_policy_service unix:private/spf-policy" can be configured to skip all following rules in case of SPF_PASS
_____________________________________ DNSWL 89.64 % SPF 63.16 %so only a very short percentage of all mail hits ptr/helo-checks, sender-verify or greylisting and 95% of all inbound attempts are killed by postscreen long before - build up your inbound with multiple stages and you are done with such spam as above
_____________________________________
smtpd_recipient_restrictions =
reject_unlisted_recipient
reject_unauth_destination
reject_non_fqdn_recipient
reject_non_fqdn_sender
check_recipient_access proxy:hash:/etc/postfix/whitelist_rcpt.cf
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
check_helo_access proxy:pcre:/etc/postfix/blacklist_helo_unconditional.cf
check_recipient_access proxy:hash:/etc/postfix/blacklist_rcpt.cf
check_sender_access proxy:hash:/etc/postfix/whitelist_sender.cf
check_sender_access proxy:hash:/etc/postfix/blacklist_sender.cf
check_sender_access proxy:hash:/etc/postfix/spoofing_protection.cf
check_sender_access proxy:pcre:/etc/postfix/blacklist_sender_regex.cf
reject_unknown_sender_domain
check_sender_ns_access proxy:hash:/etc/postfix/blacklist_ns.cf
check_recipient_access proxy:hash:/etc/postfix/skip_spf_check.cf
permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
check_policy_service unix:private/spf-policy
check_recipient_access proxy:hash:/etc/postfix/skip_ptr_check.cf
reject_unknown_reverse_client_hostname
permit_dnswl_client wl.mailspike.net=127.0.0.[16;17;18]
permit_dnswl_client list.dnswl.org=127.0.[0..255].[0..254]
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.[1;3;5]
permit_dnswl_client iadb.isipp.com
permit_dnswl_client sa-accredit.habeas.com
permit_dnswl_client dnswl.inps.de=127.0.[0;1].[2..10]
permit_dnswl_client swl.spamhaus.org=127.0.2.[2;3;102;103]
check_policy_service unix:/var/spool/postfix/postgrey/socket
${stress?sleep 0}${stress: sleep 3}
check_helo_access proxy:pcre:/etc/postfix/blacklist_helo.cf
check_reverse_client_hostname_access
proxy:pcre:/etc/postfix/blacklist_generic_ptr.cf
reject_unverified_sender
signature.asc
Description: OpenPGP digital signature
